Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Default GW for VPN Client


I notice the default GW for VPN clients when connecting is the client's interface iteself. I am just wondering how would he be able to access other VLANs in the network?

R/ Haitham

Community Member

Re: Default GW for VPN Client


It is very easy. When you connect to your site

through VPN client, it depends on policy you

configured on PIX which routes will be pushed

to your interface on PC and than to your site and which not. If you configure all routes to be directed through VPN interface you will not be able to connect to other site.



Community Member

Re: Default GW for VPN Client


Can you please assist with an example?



Hall of Fame Super Blue

Re: Default GW for VPN Client

Hi Haitham

It's a bit like having a route on a router that instead of using the next hop IP address uses an outgoing interface instead.

So your default-gateway for the VPN client is the outgoing interface with IP address of the client end of the VPN tunnel. So all traffic no matter which subnet it is destined for will be sent down the tunnel.

Hope this makes sense


Community Member

Re: Default GW for VPN Client

Hello Jon,

I know this post was a while back, but like a good little boy I searched for my problem before starting a new post. :)

I had the same question Haitham did about why my VPN clients get their own IP set as their default GW. You answered that question... thanks! I still have another question though:

My ASA 5520 (which is what my remote clients VPN into) is connected on the inside interface to a VLAN network. I have a Cisco 6500 managing and routing this VLAN and others. When I connect in with my VPN client, I get assigned an IP address from the VLAN network that the ASA is connected to, but I cannot get to anything on that network or on any of my other VLAN networks. However, if I ssh into my ASA, I can ping anything on the ASA's inside network and other VLAN networks. Any idea why this is happening? I have static routes configured in the ASA for all of my other VLANs that point to the gateway of the ASA's inside network.

Thanks! -- BTR

Community Member

Re: Default GW for VPN Client


Try to double check that nat0 is properly configured, and that you have nat traversal enabled on the FW (isakmp nat-t)

hope this helps,


Community Member

Re: Default GW for VPN Client

Hi Haitham,

Like mentioned before the routes pushed through the tunnel will depend on the policies configured.

However, to have the client capable of communicating to other vlans (or the local LAN) you will need to configure split tunneling.

configuring split tunneling will slightly vary depending on the software version of the VPN server.

below I am listing how to configure it on the PIX FW version 6.x and version 7.x as well:

version 7.x:

version 6.x:

Use the following command when configuring VPN

vpngroup groupname split-tunnel

where specifying in the access-list all the traffic that you would like to pass through the tunnel, all other traffic not specified in the access-list will pass in the clear.

I hope that the above will be of assistance to you on this.

note that the GW of the tunneled traffic will remain pointing to the interface :)



CreatePlease to create content